quic: Avoid possible buffer overflow in find_bucket

Proved by fuzzing the code. Signed-off-by: Frediano Ziglio <freddy77@gmail.com> Acked-by: Uri Lublin <uril@redhat.com>
author: Frediano Ziglio <freddy77@gmail.com> 2020-04-30 10:19:09 +0100
committer: Frediano Ziglio <freddy77@gmail.com> 2020-09-17 06:46:57 +0100
commit: b24fe6b66b86e601c725d30f00c37e684b6395b6 (patch)
tree: 5f7c7cadbb97a4d8324d69205eb41caa8f53e168
parent: ef1b6ff7b82e15d759e5415b8e35b92bb1a4c206 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/common/quic_family_tmpl.c b/common/quic_family_tmpl.c
index 8a5f7d2..6cc051b 100644
--- a/common/quic_family_tmpl.c
+++ b/common/quic_family_tmpl.c
@@ -103,7 +103,12 @@ static s_bucket *FNAME(find_bucket)(Channel *channel, const unsigned int val)
 {
     spice_extra_assert(val < (0x1U << BPC));
 
-    return channel->_buckets_ptrs[val];
+    /* The and (&) here is to avoid buffer overflows in case of garbage or malicious
+     * attempts. Is much faster then using comparisons and save us from such situations.
+     * Note that on normal build the check above won't be compiled as this code path
+     * is pretty hot and would cause speed regressions.
+     */
+    return channel->_buckets_ptrs[val & ((1U << BPC) - 1)];
 }
 
 #undef FNAME
author	Frediano Ziglio <freddy77@gmail.com>	2020-04-30 10:19:09 +0100
committer	Frediano Ziglio <freddy77@gmail.com>	2020-09-17 06:46:57 +0100
commit	b24fe6b66b86e601c725d30f00c37e684b6395b6 (patch)
tree	5f7c7cadbb97a4d8324d69205eb41caa8f53e168
parent	ef1b6ff7b82e15d759e5415b8e35b92bb1a4c206 (diff)